SlideShare a Scribd company logo

Serverless security for multi cloud workloads

Runcy Oommen
Runcy Oommen

This document discusses serverless security for multi-cloud environments. It provides an overview of serverless computing and cloud security models. It also describes security services available on AWS, GCP and Azure clouds and discusses how to harden functions as a service (FaaS) by disabling outbound internet access, restricting access to temporary directories and disabling child process execution. Specific exploits like accessing function handlers and manipulating temporary files are demonstrated. The talk recommends provisioning FaaS within private networks and using techniques like monkey patching to dynamically update code behavior and enhance security.

Related slideshows

Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
 
XCloudLabs- AWS Overview
XCloudLabs- AWS Overview XCloudLabs- AWS Overview
XCloudLabs- AWS Overview
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about security
 
1 of 34
Download to read offline
Serverless Security for Multi-Cloud 25-Apr-2020 | OSCONF Runcy Oommen
Next 30 mins… ✓ Serverless & generic cloud security overview ✓ Security services from GCP, AWS & Azure ✓ Shared Responsibility Model ✓ Scenarios for FaaS hardening ❑ Disable outbound internet connectivity ❑ Disable read/write on the /tmp directory ❑ Disable child process execution ❑ Disable read access to the function’s handler
Career ➢ Principal SDE, SONICWALL, ~17 yrs. industry experience primarily in systems, cloud (private/public), security, networking ➢ 8x certified in AWS, GCP & Azure ➢ Patent (India) in cloud security around distributed data storage ➢ Interest around serverless, containers and cloud native technologiesofferings. Firm believer of a multi-hybrid cloud future Community ➢ Community leader - AWS User Group, GDG Cloud & Cloud Native ➢ Regular speaker at domestic and international cloud/tech conferences ➢ Multiple hackathon wins in cloud/security topics ➢ Recognized by Google as a community influencer [~]$ whoami runcyoommen https://runcy.me roommen
“Serverless computing is a cloud computing execution model where cloud provider runs the server, and dynamically manages the resources.” Reference: https://en.wikipedia.org/wiki/Serverless_computing Defining “Serverless”
Serverless security for multi cloud workloads
How did we get here?
Serverless security for multi cloud workloads
Serverless security for multi cloud workloads
Serverless security for multi cloud workloads
Let’s define “Cloud security” Set of policies, technologies, applications and controls utilized to protect virtualized IP, data, applications, services and the associated infrastructure of cloud computing Reference: https://en.wikipedia.org/wiki/Cloud_computing_security
IT infrastructure & landscape has undergone a paradigm shift…
Traditional view
PaaS Modern view
So, how exactly should cloud security differ from traditional network security?
Ubiquitous The cloud is always reachable from anywhere, any time, any device Scalable You can add new features and thousands of users without breaking a sweat Integrated Security and other services talk to each other for full visibility Comprehensive The Cloud scans every byte – ingress and egress – including SSL & CDN Intelligent The cloud learns from every user and connection; any new threat is blocked for all Important facets of cloud
Early day cloud mindset Move Fast OR Stay Secure Modern day cloud mindset Move Fast AND Stay Secure
Cloud Features v/s Security Balances ➢ Agility ➢ Self-service ➢ Scale ➢ Automation ➢ Gate Keeper ➢ Standards ➢ Control ➢ Centralized
Serverless security for multi cloud workloads
AWS Security, Identity & Compliance Services
GCP Security Products & Capabilities
Azure Security Posture
Shared Responsibility Model In Cloud
STATE OF FaaS – LET’S HARDEN IT!
❑ Resources provisioned in cloud reside inside Virtual Private Cloud (VPC) ❑ FaaS should also be provisioned within this SDN wrapper dictated by network routes/configs/firewall rules
Serverless security for multi cloud workloads
Serverless security for multi cloud workloads
Functionality CV filtering app that accepts PDF file to perform text analysis Assumption Users will provide legitimate PDF filenames for processing Weakness Filename embedded into shell for direct shell command invocations Sample exploit runcyoommenhttps://tinyurl.com/infoleaksample
Exploit #1: Sub-process invocation at will from the execution context AWS Lambda Google Cloud Function https://tinyurl.com/faasexploits runcyoommen 1 2 3 1 2 3
Exploit #2: Access function handler of serverless function AWS Lambda https://tinyurl.com/faasexploits runcyoommen 1
Exploit #3: Access /tmp to manipulate contents during execution time Google Cloud Function https://tinyurl.com/faasexploits runcyoommen 1 2 1 2 AWS Lambda
Let’s do some “Monkey Patching” What? Technique to dynamically update the behavior of a piece of code Why? Extend the behavior of modules, classes or methods without actual modification of source code When? • Extend or modify behavior at runtime of libraries/methods • During testing to mock behavior of libs, modules, objects • Quickly fix issues, if we don’t have resources to roll proper fix
https://tinyurl.com/faasexploits ➢ Eclipsed the original definition of os.system() with a custom one ➢ Created a new safe_system() which is known only to us ➢ Use this new definition and repeat this for other definitions that are not required to be supported for your FaaS runcyoommen Sample patch
THIS FaaS IS A KILLER :)
Questions | Comments | Discussions runcyoommen https://runcy.me roommen

More Related Content

Serverless security for multi cloud workloads

  • 1. Serverless Security for Multi-Cloud 25-Apr-2020 | OSCONF Runcy Oommen
  • 2. Next 30 mins… ✓ Serverless & generic cloud security overview ✓ Security services from GCP, AWS & Azure ✓ Shared Responsibility Model ✓ Scenarios for FaaS hardening ❑ Disable outbound internet connectivity ❑ Disable read/write on the /tmp directory ❑ Disable child process execution ❑ Disable read access to the function’s handler
  • 3. Career ➢ Principal SDE, SONICWALL, ~17 yrs. industry experience primarily in systems, cloud (private/public), security, networking ➢ 8x certified in AWS, GCP & Azure ➢ Patent (India) in cloud security around distributed data storage ➢ Interest around serverless, containers and cloud native technologiesofferings. Firm believer of a multi-hybrid cloud future Community ➢ Community leader - AWS User Group, GDG Cloud & Cloud Native ➢ Regular speaker at domestic and international cloud/tech conferences ➢ Multiple hackathon wins in cloud/security topics ➢ Recognized by Google as a community influencer [~]$ whoami runcyoommen https://runcy.me roommen
  • 4. “Serverless computing is a cloud computing execution model where cloud provider runs the server, and dynamically manages the resources.” Reference: https://en.wikipedia.org/wiki/Serverless_computing Defining “Serverless”
  • 6. How did we get here?
  • 10. Let’s define “Cloud security” Set of policies, technologies, applications and controls utilized to protect virtualized IP, data, applications, services and the associated infrastructure of cloud computing Reference: https://en.wikipedia.org/wiki/Cloud_computing_security
  • 11. IT infrastructure & landscape has undergone a paradigm shift…
  • 14. So, how exactly should cloud security differ from traditional network security?
  • 15. Ubiquitous The cloud is always reachable from anywhere, any time, any device Scalable You can add new features and thousands of users without breaking a sweat Integrated Security and other services talk to each other for full visibility Comprehensive The Cloud scans every byte – ingress and egress – including SSL & CDN Intelligent The cloud learns from every user and connection; any new threat is blocked for all Important facets of cloud
  • 16. Early day cloud mindset Move Fast OR Stay Secure Modern day cloud mindset Move Fast AND Stay Secure
  • 17. Cloud Features v/s Security Balances ➢ Agility ➢ Self-service ➢ Scale ➢ Automation ➢ Gate Keeper ➢ Standards ➢ Control ➢ Centralized
  • 19. AWS Security, Identity & Compliance Services
  • 20. GCP Security Products & Capabilities
  • 23. STATE OF FaaS – LET’S HARDEN IT!
  • 24. ❑ Resources provisioned in cloud reside inside Virtual Private Cloud (VPC) ❑ FaaS should also be provisioned within this SDN wrapper dictated by network routes/configs/firewall rules
  • 27. Functionality CV filtering app that accepts PDF file to perform text analysis Assumption Users will provide legitimate PDF filenames for processing Weakness Filename embedded into shell for direct shell command invocations Sample exploit runcyoommenhttps://tinyurl.com/infoleaksample
  • 28. Exploit #1: Sub-process invocation at will from the execution context AWS Lambda Google Cloud Function https://tinyurl.com/faasexploits runcyoommen 1 2 3 1 2 3
  • 29. Exploit #2: Access function handler of serverless function AWS Lambda https://tinyurl.com/faasexploits runcyoommen 1
  • 30. Exploit #3: Access /tmp to manipulate contents during execution time Google Cloud Function https://tinyurl.com/faasexploits runcyoommen 1 2 1 2 AWS Lambda
  • 31. Let’s do some “Monkey Patching” What? Technique to dynamically update the behavior of a piece of code Why? Extend the behavior of modules, classes or methods without actual modification of source code When? • Extend or modify behavior at runtime of libraries/methods • During testing to mock behavior of libs, modules, objects • Quickly fix issues, if we don’t have resources to roll proper fix
  • 32. https://tinyurl.com/faasexploits ➢ Eclipsed the original definition of os.system() with a custom one ➢ Created a new safe_system() which is known only to us ➢ Use this new definition and repeat this for other definitions that are not required to be supported for your FaaS runcyoommen Sample patch
  • 33. THIS FaaS IS A KILLER :)
  • 34. Questions | Comments | Discussions runcyoommen https://runcy.me roommen